SecurityEngineering/MeetingNotes/07-11-13
From MozillaWiki
Standing Agenda
- Q2 Goals Recap ( https://intranet.mozilla.org/2013Q2Goals#Security_Engineering )
- Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
- Suggest additions or changes to roadmaps
- Detailed discussion of features or outstanding issues as time permits
- Additional Items
- Upcoming events, OOO/travel, etc.
Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/06-27-13
Agenda 07-11-13
- Welcome Christoph
- Q2 Goals Postmortem (see below)
- [PT] I'll be SF/MTV next week to interview candidate - come have lunch in MTV on tuesday if you want!
- [PT] FWIW - Q3 FFOS goals for our team: https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Ap-jgPe0UrMhdC1OZ0VoTEc1UnhzT2ljRnQ3b19XTFE#gid=1
- CSP, Mixed Content can break Bookmarklets - https://bugzilla.mozilla.org/show_bug.cgi?id=866522, https://bugzilla.mozilla.org/show_bug.cgi?id=886663
- bsmith - suggest we don't worry about it. for mixed content it's just dangerous.
- grobinson - users trust them; but probably not worth spending a lot of time on (lower priority). would be difficult to implement an exception for bookmarklets. how do we identify the bookmarklet loads?
Q2 Goals Postmortem
- [MISS] land the application reputation scanning tool bug 662819 (mmc)
- issues with Download Manager
- need more people from our team working on it
- [DONE] Turn Mixed Content Blocking on in Aurora (tanvi)
- evangelizing internally key (still faced a lot of backlash from release)
- QA (thanks Matt!) [LIKE]
- working with Chrome security team (we should continue to do this)
- at one point we were going to land in 21, ended up in 23. This caused communication issues (telemetry) between the different release managers for the different releases.
- Future goals could already be there - couldn't, too busy working more like a Project Manager. This will happen more as we take on more ambitious projects.
- https://bugzilla.mozilla.org/show_bug.cgi?id=843977
- https://bugzilla.mozilla.org/show_bug.cgi?id=844556
- https://bugzilla.mozilla.org/show_bug.cgi?id=843977
- Telemetry : https://bugzilla.mozilla.org/show_bug.cgi?id=781018
- [MISS] land classic cert validation replacement, off by default (bsmith) builds on all platforms, same revovation as classic, pending tests for edge case certtificates (certificate usages & chain building).
- big problem came down to reviews.
- cviecco trusted bsmith not to make horrible mistakes, which in itself was a mistake.
- not enough communication (mostly bsmith's fault).
- "real goal" is turning everything on this quarter, and that's looking good.
- "meeting the (artificial) goal" could have been done if had focused more on that, rather than the important work that underpins other stuff. Maybe this was not a good goal in the first place.
- https://bugzilla.mozilla.org/show_bug.cgi?id=878932
- big problem came down to reviews.
- [DONE] land OCSP stapling support and tests (keeler)
- Non-controversial, not user facing. Buy-in from outside the team.
- Slow review cycles :(
- https://bugzilla.mozilla.org/show_bug.cgi?id=700693
- [DONE] Revamp the MDN documentation of CSP and Mixed Content Blocker (imelven + tanvi)
- Documentation people were supportive and did a lot of work
- As long as you stay on top and contact them early, it's easily managable in a quarter
- [DROP] Develop & socialize plan (document containing steps, timeline, implementation & test plan) for getting sandboxing onto a desktop Firefox, probably Linux (imelven)
- Guillame's patch
- A lot of support for sandboxing from inside the organization
- Problem: no unified plan. Instead, a series of plans that were shot down/debated. Really hard to reach consensus on a first pass.
- https://wiki.mozilla.org/Electrolysis/Roadmap
- https://bugzilla.mozilla.org/show_bug.cgi?id=790923
- [MISS] Deploy pilot cookie study and publish results. (ddahl)
- Pretty much done... but never got the data. "Strange" communication problem with the metrics team. ddahl blames himself. Everything else is ready for when the data finally appears.
Big Trends:
- Communication
- Reviews
- Q3 - for our Q3 goals we tried to figure out what other teams need to be involved. We can update the team dependencies on our Q3 goals next week.